title: Malicious ShellIntel PowerShell Commandlets
author: Max Altgelt, Tobias Michalski
date: 2021/08/09
description: Detects Commandlet names from ShellIntel exploitation scripts.
detection:
    SELECTION_1:
        ScriptBlockText: '*Invoke-SMBAutoBrute*'
    SELECTION_2:
        ScriptBlockText: '*Invoke-GPOLinks*'
    SELECTION_3:
        ScriptBlockText: '*Out-Minidump*'
    SELECTION_4:
        ScriptBlockText: '*Invoke-Potato*'
    condition: (SELECTION_1 or SELECTION_2 or SELECTION_3 or SELECTION_4)
falsepositives:
- Unknown
id: 402e1e1d-ad59-47b6-bf80-1ee44985b3a7
level: high
logsource:
    category: ps_script
    definition: Script Block Logging must be enable
    product: windows
modified: 2021/10/16
references:
- https://github.com/Shellntel/scripts/
status: experimental
tags:
- attack.execution
- attack.t1059.001
yml_filename: powershell_shellintel_malicious_commandlets.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script